I’m wondering… Will this bug also appear if I change my browser identify string into something with a single quote in it? Seems that this idea has already been tested + fixed in the latest version of StatPress. ‘Unfortunately’ the $_SERVER['HTTP_REFERER'] string is escaped automagicly. Which seems to be done by wordpress itself, since if I try to echo $_SERVER['HTTP_REFERER'] within the StatPress plugin the ‘ in my referrer is escaped with a \, while this is not the case in a normal PHP script. I say unfortunately since the StatPress plugin writer doesn’t escape the referrer himself.

Most striking though was that I just read a post from Tom Kyte about bad practice on SQL. The quote “… apostrophe is often mistaken for a piece of computer code, corrupting the system. …” was nice. So don’t use apostrophes please, they corrupt computer systems

P.s. True this bug is not related to wordpress itself, since it was just a plugin writer who screwed-up…